Summary

AppDynamics is announcing a patch for a security vulnerability in a third-party component used in the Controller. The vulnerability could allow remote attackers to obtain sensitive information via vectors that are associated with a request, and related to injected tags and external entity references in XML documents.

Affected Software

Product

Component

Version

Exploitability

Severity

All AppDynamics Products

AppDynamics Controller

3.9 versions below 3.9.8.7

4.0 versions below 4.0.8.2

4.1 versions below 4.1.2.2

Low

High

Key/Legend for Ratings and Vulnerabilities

Exploitability Rating

Description

Known

AppDynamics is aware of a known exploit. Customers should treat known exploits with the highest priority.

High

AppDynamics believes there is a high probability that a vulnerability is exploitable by an attacker.

Medium

AppDynamics believes there is a moderate probability that a vulnerability is exploitable by an attacker.

Low

AppDynamics believes there is a low probability that a vulnerability is exploitable by an attacker.

Severity Rating

Description

High

Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources without any mitigations like notifications, audits, and/or authentication.

Medium

Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources with reasonable mitigations like notifications, and/or authentication mechanisms.

Low

Exploit allows an attacker to compromise confidentiality, integrity, accountability, or availability of user data, or of the integrity or availability of processing resources, however, significant mitigations like notifications, and/or authentication mechanisms are in place to reduce severity of the impact.

Patched Versions

Acknowledgements

Matthias Kaiser of Code White

Disclaimer

The information provided in this security advisory is provided "as is" without warranty of any kind. AppDynamics disclaims all warranties with respect thereto, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall AppDynamics or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if AppDynamics or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply to you.